Comments on: Authenticating Alan Shimel is Certifiably Hard http://emergentchaos.com/archives/2008/08/authenticating-alan-shimel-is-certifiably-hard.html The Emergent Chaos Jazz Combo Mon, 08 Mar 2010 14:28:34 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: Adam http://emergentchaos.com/archives/2008/08/authenticating-alan-shimel-is-certifiably-hard.html/comment-page-1#comment-4985 Adam Mon, 25 Aug 2008 18:44:55 +0000 http://emergentchaos.com/?p=2871#comment-4985 Zach--yes, it's a joke, about how hard it is to keep track of who's who. Perhaps a little too obvious. I'll be curious to see how it impacts image searches for a while. :) Zach–yes, it’s a joke, about how hard it is to keep track of who’s who. Perhaps a little too obvious. I’ll be curious to see how it impacts image searches for a while. :)

]]> By: Adrian Lane http://emergentchaos.com/archives/2008/08/authenticating-alan-shimel-is-certifiably-hard.html/comment-page-1#comment-4984 Adrian Lane Mon, 25 Aug 2008 18:13:34 +0000 http://emergentchaos.com/?p=2871#comment-4984 Looks like site defacement to me ... perhaps Adam has been hacked as well. Looks like site defacement to me … perhaps Adam has been hacked as well.

]]> By: Ryan Russell http://emergentchaos.com/archives/2008/08/authenticating-alan-shimel-is-certifiably-hard.html/comment-page-1#comment-4983 Ryan Russell Mon, 25 Aug 2008 17:22:17 +0000 http://emergentchaos.com/?p=2871#comment-4983 Yeah, the name/license isn't always good enough. At Black Hat & Defcon this year, there were two Ryan Russells and a Russell Ryan. Not as in people impersonating me, those are our legitimate names. Yeah, the name/license isn’t always good enough. At Black Hat & Defcon this year, there were two Ryan Russells and a Russell Ryan. Not as in people impersonating me, those are our legitimate names.

]]> By: Jim Burrows http://emergentchaos.com/archives/2008/08/authenticating-alan-shimel-is-certifiably-hard.html/comment-page-1#comment-4982 Jim Burrows Mon, 25 Aug 2008 16:15:31 +0000 http://emergentchaos.com/?p=2871#comment-4982 <blockquote>Of course, that just moves the problem around -- now you have to worry about domain hijacking.</blockquote> And of course one of Shimel's problems was that they stole both his email and his domain -- see his rant about Go Daddy <a href='http://www.stillsecureafteralltheseyears.com/ashimmy/2008/08/more-frustratio.html' rel="nofollow">here</a>. After reading his various postings on this, I am left with two basic questions:<ol><li>What would he (or you) do to avoid future identity theft?</li><li>What would he (or you) do to improve the chances of recovery from future identity theft?</li></ol>In "<a href='http://www.stillsecureafteralltheseyears.com/ashimmy/2008/08/im-back.html' rel="nofollow">I'm back</a>", he writes, <blockquote>Where before I viewed security as a business that I was in, security from here on in will be a much more passionate endeavor for me. In many ways this has made me truly a security person. You will see a much deeper commitment by me in keeping the slime of the world from being successful. I am going to do everything I can to making myself, my family and all of us more secure. Security for me has gone from a business to a way of life.</blockquote> That's a lovely sentiment, and I'm sure that many people leave their "Wall of Sheep" experience feeling the same way, but what does it really mean? After 9/11, the US as a country said much the same thing. And then we entered into a security plan that centers on identity. To stop terrorists. You might be able to stop <em>known</em> terrorists with an identity-based solution, but identity won't do squat about stopping <em>unknown</em> terrorists, and in fact the ideal story for a terrorist is to go from unknown terrorist to world famous successful terrorist. Identity <em>helps</em> achieve that. And as Bruce Schneier <a href='http://www.schneier.com/blog/archives/2008/08/mi5_on_terroris.html#comments' rel="nofollow">recently pointed out</a>, an MI5 reports suggests, profiling to identify terrorists isn't likely to work, at least not with our current understanding of profiling. I hear a lot of people these days declaring a devotion to "better security", and "better practices", but what are those practices? Shimel himself, <a>pointed out</a> that the biggest problem, the "clowns" in the security circus are the software implementers. He begs us not to blame the security people but the masses of coders who build the vulnerable products. Consider this in light of Schneier's comment that security engineering is "programming Satan's computer" and harder than just creating reliable software on "Murphy's computer" and way harder than "straight forward" computer programming. What makes Shimel's harried programmers "clowns" is that they are just programming generic computers and not either Murphy's or Satan's. But is only the cream of the elite are doing it right and the great unwashed masses of programmers are clowns, building in vulnerability, what's a "security person" going to do? How do we answer the two questions above? Just asking.

Of course, that just moves the problem around — now you have to worry about domain hijacking.

And of course one of Shimel’s problems was that they stole both his email and his domain — see his rant about Go Daddy here.
After reading his various postings on this, I am left with two basic questions:

  1. What would he (or you) do to avoid future identity theft?
  2. What would he (or you) do to improve the chances of recovery from future identity theft?

In “I’m back“, he writes,

Where before I viewed security as a business that I was in, security from here on in will be a much more passionate endeavor for me. In many ways this has made me truly a security person. You will see a much deeper commitment by me in keeping the slime of the world from being successful. I am going to do everything I can to making myself, my family and all of us more secure. Security for me has gone from a business to a way of life.

That’s a lovely sentiment, and I’m sure that many people leave their “Wall of Sheep” experience feeling the same way, but what does it really mean?
After 9/11, the US as a country said much the same thing. And then we entered into a security plan that centers on identity. To stop terrorists. You might be able to stop known terrorists with an identity-based solution, but identity won’t do squat about stopping unknown terrorists, and in fact the ideal story for a terrorist is to go from unknown terrorist to world famous successful terrorist. Identity helps achieve that.
And as Bruce Schneier recently pointed out, an MI5 reports suggests, profiling to identify terrorists isn’t likely to work, at least not with our current understanding of profiling.
I hear a lot of people these days declaring a devotion to “better security”, and “better practices”, but what are those practices?
Shimel himself, pointed out that the biggest problem, the “clowns” in the security circus are the software implementers. He begs us not to blame the security people but the masses of coders who build the vulnerable products.
Consider this in light of Schneier’s comment that security engineering is “programming Satan’s computer” and harder than just creating reliable software on “Murphy’s computer” and way harder than “straight forward” computer programming.
What makes Shimel’s harried programmers “clowns” is that they are just programming generic computers and not either Murphy’s or Satan’s. But is only the cream of the elite are doing it right and the great unwashed masses of programmers are clowns, building in vulnerability, what’s a “security person” going to do?
How do we answer the two questions above?
Just asking.

]]> By: David Brodbeck http://emergentchaos.com/archives/2008/08/authenticating-alan-shimel-is-certifiably-hard.html/comment-page-1#comment-4981 David Brodbeck Mon, 25 Aug 2008 13:49:23 +0000 http://emergentchaos.com/?p=2871#comment-4981 I suppose this is an argument for having a vanity domain, and sending all your critical email to it...if one email account gets compromised, you can just point the domain somewhere else. Of course, that just moves the problem around -- now you have to worry about domain hijacking. I suppose this is an argument for having a vanity domain, and sending all your critical email to it…if one email account gets compromised, you can just point the domain somewhere else. Of course, that just moves the problem around — now you have to worry about domain hijacking.

]]> By: shrdlu http://emergentchaos.com/archives/2008/08/authenticating-alan-shimel-is-certifiably-hard.html/comment-page-1#comment-4980 shrdlu Mon, 25 Aug 2008 11:45:27 +0000 http://emergentchaos.com/?p=2871#comment-4980 Well, you know how it is, we all look alike ... Well, you know how it is, we all look alike …

]]> By: Zach http://emergentchaos.com/archives/2008/08/authenticating-alan-shimel-is-certifiably-hard.html/comment-page-1#comment-4979 Zach Mon, 25 Aug 2008 11:29:01 +0000 http://emergentchaos.com/?p=2871#comment-4979 It's funny that Google, with their eyebrow-raising stance toward privacy, is chosen over Yahoo! in this case. Though I suppose that's not what the concern is. The whole situation became a bit unsettling for others when the e-mail (posted to FD) called out other..."targets". Oh, and is there a joke behind having *Rothman's* photo up there? :) It’s funny that Google, with their eyebrow-raising stance toward privacy, is chosen over Yahoo! in this case. Though I suppose that’s not what the concern is.
The whole situation became a bit unsettling for others when the e-mail (posted to FD) called out other…”targets”.
Oh, and is there a joke behind having *Rothman’s* photo up there? :)

]]>